Testing iOS App Vulnerabilities with Jailbreaking. Part 1.
While our main expertise is Angular & Web development, we create mobile applications as well. Today we want to talk about testing vulnerabilities in iOS apps — penetration testing (or simply pentesting). In this article, we’ll introduce you to pentesting and preparing device for it and then, in the next article, show you how to detect vulnerabilities themselves.
iOS and Jailbreaking
iOS is designed with a particular emphasis on security. All third party applications run in their sandboxes — secure environments that isolate their data, not allowing any manipulation of files from other applications or the operating system. Although, an app can access special shared data, like photos from the album or contact data, but it is not possible for an app to directly access files written by other apps. There’s nowhere to turn — the app can’t go beyond its sandbox and steal or break some other app.
By default, iDevices — all Apple devices running iOS — are not allowed to install apps from any source except the official Apple App Store. Apple is careful to ensure that no malware gets there, and approves applications only after studying their code.
The only exception is jailbroken devices. Jailbreaking permits root access — absolute power — in Apple’s mobile operating system, allowing the installation of external, potentially harmful, software. Jailbreaking gives a lot of work to Apple developers: they need to improve iOS security constantly and close new vulnerabilities. They even regularly pay hackers to find new holes.
iOS becomes more and more invulnerable every day. While iOS 13 was released on September 19, 2019, the app to jailbreak device with iOS 13 is just in its beta version. The latest stable version of iOS to have a stable jailbreaking available to the public is 12.4.
Besides, a lot of users continue using previous iOS versions and devices with it:
As long as there are users of older operating systems and you distribute an application that supports older iOS versions, your app should be checked for security vulnerabilities. The old versions are still commonly used, so jailbreaking remains a topical subject.
Why does my app need testing with Jailbreaking?
Jailbreaking allows finding vulnerabilities that can cause financial damage to the app owner. Hackers can deprive the business of its income or steal from you. Here are just several possible situations:
- In-app purchase fraud. If in-app purchases is your monetization strategy, protecting them should be your first-priority pentesting item. On the jailbroken device, the user can change in-app purchase server to the local storage and then make all in-app purchases for free.
- Ad blocking. 90% of iOS App Store apps are free, and the easiest way to make money with a free app is through advertising. The hint here is to remove ads from the app with the help of jailbreak app store’s ad blocker.
- Data leakage. For example, stealing data from your app’s users may lead to a decline in the reputation and fall of stocks.
- Data spoofing. The hackers can make fake or brand unsafe sites be shown as premium domains within app adds.
- Intercepted control of your app. Imagine your app controls wireless lighting equipment. If the app is hacked, the control of the equipment is overtaken.
For more detailed information on possible risks see OWASP Top 10 Mobile Risks, the Year 2016.
Why jailbreaking is dangerous for your device?
As well as your app may be affected by hackers, jailbreaking puts the device you’re testing on at risk. Make sure that the test device or its apps don’t have important sensitive data (e.g. make sure you don’t have a bank app installed) before you start — it may be damaged or stolen too. Therefore, we recommend using a separate device for such testing.
How to jailbreak iDevice for penetration testing?
Depending on the iOS version, jailbreaking method will vary and require installation from your PC. Let’s review how to jailbreak iOS 12.4 without connection to PC:
- Remove any iOS 12.4 OTA update file from Settings -> Storage and reboot your device.
- Make sure to create a backup of all important data on your device before jailbreaking.
2. Download latest Unc0ver:
- Go to ignition.fun on your iDevice.
- Use the search bar to find Unc0ver.
- Tap on Get followed by Install.
- Wait for the app to download and install it.
3. Trust certificate:
- Head over to Settings -> General -> Profile.
- Tap the developer’s name and trust the certificate.
4. Jailbreak the device:
- Open Unc0ver.
- Tap the Jailbreak button.
- Wait for the app to do its job: your iDevice will respring during the process after which you should see the Cydia (jailbreak app store for iDevices) icon on your home screen.
NOTE: If the app ends up freezing, wait for a few minutes. In case that does not work, reboot your iDevice and then repeat the above steps.
Since Cydia is no longer being actively updated, you can install an alternative store that was developed to fill the gap — Sileo, which works for iOS11 or newer.
Cydia and Sileo will allow downloading of tweaks — mini-apps that initially were intended to add more features for iOS users (like customizing the interface look) but later included tools to hit vulnerabilities of your app. Besides Store’s tweaks, your app can also be harmed by self-written injections. Hackers are more likely to write their tweaks for a particular app to crack it. This will be a narrow expensive professional work.
The iDevices are famed for their focus on safety. By default, any downloaded application will not interfere with other apps without user confirmation, so possibilities of accessing sensitive data are limited by design. But there is a loophole — jailbreaking — hacking Apple protection system to gain full access to the user’s device. Users can set non-approved software and have a deeper access to all installed applications.
Jailbreaking adds work not only to the Apple team but also to iOS app developers and test engineers. If your business can potentially suffer from application-related financial loss, you should check your application for the possibility of hackers to do anything harmful via the jailbroken device. Almost every app is potentially vulnerable — not just apps with in-app purchases or other money-related features.
Jailbreaking is possible on all iOS versions up to 13. Since Apple is continuously working on security, the quantity of iOS vulnerabilities is getting smaller and smaller. Still, you should pay attention to the statistics of different old iOS versions — if users don’t use some old iOS version, don’t bother supporting it. There will be fewer chances to crack it and less work for a developer and test engineer to work through vulnerabilities available only on jailbroken devices.
Having introduced you to iOS app vulnerabilities, we will later talk about penetration testing (or simply pentesting) to cover several test cases.
Stay on guard, fellas!
Dmitriy Zhemchugov, QA Engineer